Skip to content

[Breaking change]: Rfc2898DeriveBytes constructors that provide a default number of iterations or a default hash algorithm are obsolete. #28812

New issue
New issue
Closed
#28964
Closed
[Breaking change]: Rfc2898DeriveBytes constructors that provide a default number of iterations or a default hash algorithm are obsolete.#28812
#28964
Assignees
gewarren
Labels
🏁 Release: .NET 7Work items for the .NET 7 releasebreaking-changeIndicates a .NET Core breaking changesource incompatibleSource code may encounter a breaking change in behavior when targeting the new version.
@bartonjs

Description

@bartonjs
bartonjs
opened on Mar 26, 2022

Description

The following constructors are declared [Obsolete] with diagnostic SYSLIB0041 in .NET 7 (starting in Preview 4) because they default the hash algorithm or number of iterations, and the defaults are no longer considered secure:

  • M:System.Security.Cryptography.Rfc2898DeriveBytes.#ctor(System.String,System.Byte[])
  • M:System.Security.Cryptography.Rfc2898DeriveBytes.#ctor(System.String,System.Int32)
  • M:System.Security.Cryptography.Rfc2898DeriveBytes.#ctor(System.Byte[],System.Byte[],System.Int32)
  • M:System.Security.Cryptography.Rfc2898DeriveBytes.#ctor(System.String,System.Byte[],System.Int32)
  • M:System.Security.Cryptography.Rfc2898DeriveBytes.#ctor(System.String,System.Int32,System.Int32)

There are all of the constructors that were available in .NET 4.7.1 and prior versions. Only the new constructors should be used going forward.

Version

Other (please put exact version in description textbox)

Previous behavior

Making use of these constructors did not produce a warning.

New behavior

Compiling against .NET 7 while using any of these constructors will result in a SYSLIB0041 warning.

Type of breaking change

  • Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
  • Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.

Reason for change

The default iteration count and hash algorithm were chosen for .NET Framework 2.0 and are no longer considered strong choices.

Recommended action

Callers should explicitly specify the iteration count (the default is 1000) and hash algorithm name (the default is HashAlgorithmName.SHA1) via a longer overload.

Callers who are using the default iteration count or default hash algorithm should consider moving to more secure values (a larger iteration count and/or a newer hash algorithm).

Feature area

Cryptography

Affected APIs

  • M:System.Security.Cryptography.Rfc2898DeriveBytes.#ctor(System.String,System.Byte[])
  • M:System.Security.Cryptography.Rfc2898DeriveBytes.#ctor(System.String,System.Int32)
  • M:System.Security.Cryptography.Rfc2898DeriveBytes.#ctor(System.Byte[],System.Byte[],System.Int32)
  • M:System.Security.Cryptography.Rfc2898DeriveBytes.#ctor(System.String,System.Byte[],System.Int32)
  • M:System.Security.Cryptography.Rfc2898DeriveBytes.#ctor(System.String,System.Int32,System.Int32)

Metadata

Metadata

Assignees

Labels

🏁 Release: .NET 7Work items for the .NET 7 releasebreaking-changeIndicates a .NET Core breaking changesource incompatibleSource code may encounter a breaking change in behavior when targeting the new version.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions